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Amendments to the Claims 

The listing of claims will replace all prior versions, and listings of claims in 
the application. 

1 . (currently amended) A security processing method comprising: 

receiving, by a security processor, an internal outbound packet from an 
Ethernet controller, wherein the internal outbound packet includes a flow identifier for 
the internal outbound p acket and [[a]] security processor address data identifier ; 

processing at least a portion of the received internal outbound p acket if 
the security processor address data identifier matches an identifier address 
information associated with the security processor, wherein the processing includes: 

using the flow identifier as a direct address handle to retrieve a 
security association for the received internal outbound p acket, 

performing a cryptographic operation on a portion of the received 
internal outbound p acket using at least a portion of the retrieved security association, 
and 

assembling an outbound network packet including a header and the 
cryptographically processed portion of the received internal outbound p acket; and 
transmitting, from the security processor, the outbound network 

packet. 

2. (previously presented) The method of claim 1 wherein performing the 
cryptographic operation comprises performing one or more IPsec operations. 

3. (original) The method of claim 2 wherein the IPsec operations comprise 
adding or removing protocol elements. 
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4-6. (canceled) 

7. (previously presented) The method of claim 1 wherein the security 
processor resides on a network interface card (NIC). 

8. (currently amended) A security processor comprising: 
at least one media access controller (MAC); and 

at least one processor configured to: 

receive an internal outbound packet from an Ethernet controller via the 
MAC, wherein the internal outbound packet includes a flow identifier for the internal 
outbound packet and [[a]] security processor address data identifier , 

process at least a portion of the received internal outbound p acket if the 
security processor address data id e ntifier matches an identifier address information 
associated with the security processor, including: 

using the flow identifier as a direct address handle to retrieve a security 
association for the received internal outbound p acket, 

performing a cryptographic operation on a portion of the received 
internal outbound packet using at least a portion of the retrieved security association, 
and 

assembling an outbound network packet including a header and the 
crypto graphically processed portion of the received internal outbound p acket. 

9. (original) The security processor of claim 8 wherein the at least one 
processor comprises at least one IPsec processor. 
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10. (currently amended) The security processor of claim 9 wherein the IPsec 
processor is configured to add IPsec protocol elements to or to remove IPsec protocol 
elements from the internal outbound packet or the outbound network packet data. 

11. (canceled). 

12. (previously presented) The security processor of claim 8 further 
comprising at least one data memory for storing security association information for 
use by the at least one processor, wherein the security association information 
includes a handle and security association data. 

13-14 (canceled). 

15. (previously presented) The security processor of claim 8 wherein the 
security processor resides on a network interface card (NIC). 

16. (currently amended) An in-line security processor comprising: 
a plurality of media access controllers (MACs); and 

at least one processor configured to receive an internal outbound packet 
from an Ethernet controller via at least one of the plurality of MACs, wherein the 
internal outbound packet includes a flow identifier for the internal outbound p acket 
and [[a]] security processor address data identifier , 

process at least a portion of the received internal outbound packet if the 
security processor address data id e ntifier matches an identifier address information 
associated with the security processor, including: 

using the flow identifier as a direct address handle to retrieve a security 
association for the received internal outbound p acket. 
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performing a cryptographic operation on a portion of the received internal 
outbound packet using at least a portion of the retrieved security association, and 

assembling an outbound network packet including a header and the 
cryptographically processed portion of the received internal outbound p acket. 

17. (original) The in-line security processor of claim 16 wherein the at least 
one processor comprises at least one EPsec processor. 

18. (currently amended) The in-line security processor of claim 17 wherein the 
IPsec processor is configured to add EPsec protocol elements to or to remove DPsec 
protocol elements from the internal outbound packet or the outbound network packet 

XXaXtt, 

19. (canceled). 

20. (original) The in-line security processor of claim 16 further comprising at 
least one data memory for storing security association information for use by the at 
least one processor. 

21. (currently amended) A security processing system comprising: 

at least one media access controller (MAC); 

at least one security processor configured to: 

receive an internal outbound packet from an Ethernet controller via 
at least one MAC, wherein the internal outbound packet includes a flow identifier for 
the internal outbound p acket and [[a]] security processor address data identifier , 
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process at least a portion of the received internal outbound packet 

if the security processor address data identifier matches an identifier address 

information associated with the security processor, including: 

using the flow identifier as a direct address handle to retrieve a 
security association for the received internal outbound p acket, 

performing a cryptographic operation on a portion of the 
received internal outbound p acket using at least a portion of the retrieved security 
association, and 

assembling an outbound network packet including a header and 
the cryptographically processed portion of the received internal outbound p acket; and 
at least one switch for distributing or collecting packets between the at 
least one media access controller and the at least one security processor. 

22. (original) The security processing system of claim 21 wherein the at least 
one media access controller comprises at least one Gigabit MAC. 

23. (currently amended) The security processing system of claim 21 wherein 
the at least one security processor is further configured to allocate memory space 
associated with the security association associations used by the at least one security 
processor. 

24. (original) The security processing system of claim 21 wherein the at least 
one switch associates VLAN tags with the at least one media access controller. 

25-26. (canceled) 
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27. (currently amended) A chassis-based switch comprising: 

at least one backplane; 

at least one processing blade connected to the at least one backplane, 
the at least one processing blade comprising at least one media access controller; and 

at least one switching blade connected to the at least one backplane, 
the at least one switching blade comprising: 

at least one security processor configured to: 

receive an internal outbound packet from an Ethernet 
controller, wherein the internal outbound packet includes a flow identifier for the 
internal outbound p acket and [[a]] security processor address data identifier , 

process at least a portion of the received internal outbound 
packet if the security processor address data identifier matches an identifier address 
information associated with the at least one security processor, including: 

using the flow identifier as a direct address handle to 
retrieve a security association for the received internal outbound p acket, 

performing a cryptographic operation on a portion of the 
received internal outbound p acket using at least a portion of the retrieved security 
association, and 

assembling an outbound network packet including a header 
and the cryptographically processed portion of the received internal outbound p acket; 
and 

at least one packet switch for routing packets between the at least 
one media access controller and the at least one security processor. 
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28 -32. (canceled) 



33. (currently amended) A security processing system comprising: 
at least one Ethernet controller configured to: 

receive a TCP/IP packet in a data flow and store context 
information associated with the TCP/IP packet; 

identify flow identification information for the data flow including 
a flow identifier; and 

generate an internal packet including a security identifier header 
having the flow identifier, [[a]] security processor address data identifier , and at least 
a portion of the TCP/IP packet; and 

at least one security processo r, connected to receive the internal pack e t 
from the at least on e Eth e rn e t controller, the at least one security processor configured 
to: 

receive the internal packet from [[an]] the at least one Ethernet 
controller, wherein the internal outbound packet includes a flow identifier for the 
packet and [[a]] security processor address data identifier , 

process at least a portion of the received internal p acket if the 
security processor address data identifi e r matches an identifier address information 
associated with the security processor, including: 

using the flow identifier as a direct address handle to retrieve a 
security association for the received internal p acket, 

performing a cryptographic operation on a portion of the 
received packet using at least a portion of the retrieved security association, and 



- 9 - BUER et al 

Appl. No. 10/727,430 
Atty. Docket: 2875.0240001 

assembling an outbound network packet including a header and 

the cryptographically processed portion of the received internal p acket. 



34. (withdrawn) A method of configuring a security processor comprising: 
generating configuration information; 

formatting the configuration information into at least one packet; and 
sending the at least one packet over a Gigabit Ethernet network to a 
security processor. 

35. (withdrawn) The method of claim 34 wherein the at least one packet 
comprises at least one IP sec packet. 

36. (withdrawn) A method of configuring a security processor comprising: 

receiving at least one packet containing configuration information over a 
Gigabit Ethernet network; 

extracting the configuration information from the at least one packet; and 

configuring a security processor using the extracted configuration 

information. 

37. (withdrawn) The method of claim 36 wherein the at least one packet 
comprises at least one BPsec packet. 

38. (withdrawn) A method of configuring a security processor comprising: 
generating at least one security association; 

formatting the at least one security association into at least one packet; and 
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sending the at least one packet over a Gigabit Ethernet network to a 

security processor. 

39. (withdrawn) A method of configuring a security processor comprising: 
receiving at least one packet containing at least one security association 

over a Gigabit Ethernet network; extracting the at least one security association from 
the at least one packet; and 

storing the extracted at least one security association. 

40. (currently amended) A method, in a Ethernet controller, of generating an 
internal packet for transmission to a security processor over a PCI bus comprising: 

receiving a TCP/IP packet in a data flow and storing context 
information associated with the TCP/IP packet; 

identifying flow identification information for the data flow 
including a flow identifier; 

generating the internal packet including a security identifier header 
having the flow identifier, [[a]] security processor address data identifier , and at least 
a portion of the TCP/IP packet; and 

transmitting the internal packet to the security processor over the 
PCI bus for cryptographic processing. 

41 -50. (canceled). 

51. (currently amended) The security processing system of claim 33 wherein 
the at least one security processor is further configured to modify at least one 
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checksum in the at least one security identifier header added by the at least on e 

network controller . 

52. (currently amended) The security processing system of claim 33 wherein 
the at least one Ethernet controller modifies at least one maximum transmitted unit 
size in accordance with modifications the at least one security processor makes to at 
least a portion of the outbound network p ackets. 

53. (currently amended) The security processing system of claim 33 wherein 
the at least one Ethernet controller reduces at least one TCP/IP payload size in 
accordance with at least one security header and trailer size added to at least a portion 
of the outbound network p ackets. 

54 - 55 (canceled). 

56. (previously presented) The security processing system of claim 33 wherein 
the at least one Ethernet controller securely communicates with the at least one 
security processor to configure the at least one security processor or retrieve status 
information from the at least one security processor. 

57. (canceled). 

58. (previously presented) The method of claim 1, further comprising: 

entering a low power state upon receipt of a low-power configuration 
signal, wherein entering the low power state includes: 

disabling an IPSec data path and a public key data path. 
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59. (currently amended) The method of claim 58, further comprising: 

receiving a second configuration signal indicating a release from low 

power state; and 

enabling the IPSec data path and the public key data path. 



60. (previously presented) The method of claim 1, further comprising: 

prior to receiving the internal outbound packet in a flow, 

receiving security association information for the flow, the security 
association information including a security association handle and security 
association data. 

61. (previously presented) The method of claim 60, further comprising: 

storing the security association information in a local memory 
associated with the security processor. 



62. (previously presented) The method of claim 1, wherein the security 
processor resides on a motherboard of a computer system. 

63. (previously presented) The security processor of claim 8, wherein the at 
least one processor is further configured to enter a low power state upon receipt of a 
low-power configuration signal and disable an IPSec data path and a public key data 
path. 
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64. (currently amended) The security processor of claim 63, wherein the at 
least one processor is further configured to: 

receive a second configuration signal indicating a release from low 
power state; and 

enable the IPSec data path and the public key data path. 

65. (previously presented) The security processor of claim 8, wherein the at 
least one processor is further configured to receive security association information 
for the flow, the security association information including a security association 
handle and security association data. 

66. (previously presented) The security processor of claim 65, wherein the at 
least one processor is further configured to store the security association information 
in a local memory associated with the security processor. 

67. (previously presented) The security processor of claim 8, wherein the 
security processor resides on a motherboard of a computer system. 

68. (previously presented) The security processor of claim 8, wherein the 
security processor is in-line with a data path of a packet network. 



